TrustTrust · Security

Security architecture

Our security architecture protects data at every layer, from encryption and access controls to continuous testing and incident readiness.

Encryption

AES-256 encryption at rest for all stored data, including databases, file storage, and backups
TLS 1.3 encryption in transit for all API communications, webhook deliveries, and internal service traffic
Customer-managed encryption key support (BYOK) for enterprise accounts requiring independent key custody

Access controls

Role-based access control with granular permissions across organisations, teams, and individual resources
Multi-factor authentication enforced for all user accounts with support for TOTP, hardware keys, and SSO via SAML 2.0
Principle of least privilege applied to all internal systems, with just-in-time access for production environments

Penetration testing

Annual third-party penetration tests conducted by CREST-accredited security firms covering infrastructure, APIs, and web applications
Continuous automated vulnerability scanning across all production services with prioritised remediation SLAs
Responsible disclosure programme with defined scope and safe harbour for external security researchers

Incident response

Documented incident response plan with defined severity levels, escalation paths, and communication protocols
72-hour breach notification to affected customers and supervisory authorities in compliance with GDPR Article 33
Post-incident review process with root cause analysis and remediation tracking published to affected parties

Need the full evidence pack?

Request our comprehensive trust pack containing the security whitepaper, available SOC 2 Type II programme artefacts (subject to programme status), data processing agreement template, sub-processor list, and penetration test executive summary. Available to prospective and current customers under NDA.